I created a public app in Oracle Apex 20.1
I set session management like that --> session management
Application has no authentication and every page is public.
Unfortnently in the application logs I found many erros with Your session has expired message. It occurs multiple times in exactly same time. In user column there is a null value instead of nobody.
Logs from application
I would appreciate any advice how to fix my app
This is expected behaviour, there is nothing wrong with your application. Every page rendering in apex is a session - that is also true for public pages. The user is set to "nobody" indicating that the session is not authenticated. When a user leaves his browser open, eventually the session will time out.
You can increase the session idle time in Shared Components > Security attributes, but sessions will still timeout when they're idle for longer than this value.
The entries you're seeing in the application log seem to be coming from an ajax request, not from a page rendering action. This is hard to diagnose with no info about your application. I'm assuming you have a dynamic action or some javascript code with a timer to refresh the page or a page region. Once the session expires, those ajax requests start erroring out. What you could do is figure out what component/process is throwing the error message and put some logic in it so it only fires if the session is valid (using APEX_CUSTOM_AUTH.IS_SESSION_VALID)
Related
After loggin in OneDrive through a web application as explained here (http://msdn.microsoft.com/en-us/library/dn659751.aspx), I can see that a session (WL.getSession()) is obtained correctly. However, if I make a refresh on the page, it is getting lost. I guess this is due to some cookies management. Is it possible to have the session not cleared at refresh?
Thanks,
Stanislav
Typically, you should call WL.login or otherwise check login status first (see WL.getloginStatus). These will return a session object if the user is logged in and has consented, so on refresh your session object should not be null unless they have logged out and you need to sign them in again. You may be "losing" the session depending on when you are calling WL.getSession()
Check out the interactive SDK sample on signing users in
I can redirect a user to home page upon session logout.. this was very simple. However, if an user had logged into the app and had the page open, even on session time out, he is able to perform all the functions(this is bad).
The redirect does not happen until the page is refreshed, or submitted to the server... there are some update functions that could be done by the user even if he is not currently logged in... I have done a lot of research but unable to fix this solution. I also found this thread but it seems to have no proper answer:
Spring Security 3.1 - Automatically redirect to login page when session-timeout occurs
For example, most of the banking sites log you out after a time out.. they do not wait until you come back and then submit a request before you are redirected to home page.
HTTP is stateless. To achieve some form of state the server can maintain a session for each user by giving them a session id on their first request. The user would have to resend that session id on each future request to identify that the other requests happen within the same session.
Because the session is maintained by the server, there is no way to notify the client that the session has timed out.
Instead, if the user makes a new request when the session is timed out, their session ID is no longer good and therefore you can take a particular action like redirect them to login page.
Assuming nothing works out. You may want to consider below mentioned approches:
Approach 1:
Create a cookie on browser and have encrypted timestamp in it that will contain last visited/request timestamp from browser, for each request first get get this cookie value and compare with the pre-defined session out time, if session-out time reached then redirect user to error page else serve the request. On logout delete the cookie.
Why encrypted value for timestamp: if somehow user gets to know about cookie used for session timeout then (s)he can change this value in browser and keep on sending this request.
Approach 2:
You can also achieve this by making an entry in your database for every logged-in user and updating timestamp in this database for each request. For each incoming request get this timestamp from database and compare it with pre-defined value for timeout and handle accordingly. On logout delete the entry.
In both the approaches explicitly perform response.redirect("errorPageUrl");
In my AJAX Spring application, have added code in web.xml for a session timeout of 10 minutes.
If the user tries to access the page after this interval, he is getting redirected to the session time out page correctly.
But if the user clicks the back button, the url with the same session id actually returns values instead of displaying the "timeout" page again. This happens only in IE9 . In all others, this is working correctly.
Any pointers?
Should I manually invalidate the session after a request from an invalidated page? If I manually invalidate the session in my controller, for such a request, it seems to work perfectly even in IE9. Can anyone explain why this occurs?
I am new to lift and trying to write a simple login application. When I leave my login page for some time, and I enter username and password it doesn't login instead it perform session expire behavior.
I checked the log and found that whenever I got INFO - Session navoo0xdu1ia1vi8m1c0cnl3w expired log message, the above behavior happens.
I am not able to understand why request is using the existing session, even if it's already expired. Please guide me where can I found documentation/example/tutorial to understand this behavior and how to implement simple session based login functionality.
Any help will be appreciated since this problem is bottleneck to me. I googled a lot but couldn't find anything useful.
If your session is expiring then it is because of one of two things:
1) The value set in LiftRules.sessionInactivityTimeout
or
2) The value set for session expiry within your container session.
The former is actually set to nothing by default, which means the latter will override it. Be aware however that provided you are interacting with Lift and have not disabled the heartbeat pulse then sessions do not expire. If you watch the AJAX traffic you will notice a page heartbeat used for function GC which keeps the page bound functions alive.
In my web application(jsp/servlet) there is a web page which create Ajax request periodically to grab the latest data from the server.This page is the main page which is always open once user log in to the system while other pages open in new browser windows(due to user events).
I have to invalidate the user session which idle for more than 30 minutes. For that I use Tomcat session timeout feature. But the thing is most of the time users session which are idle for 30 min are not invalidated.
But some time user sessions are invalidated by Tomcat after 30 min. I think this is because the main page send Ajax request periodically without idling the session.
I want to know that is Tomcat can't identified the auto generated request from user event and invalidate session properly.Please give an ideas on this,it will be very helpful for me.
Dinesh
I don't think you have a choice here - if Tomcat identifies and ignores the AJAX request, you'll lose the functionality it provides for you